DNS unresponsive to clients
-
@robbiett said in DNS unresponsive to clients:
LAN interfaces to avoid a Resolver restart when my WAN link goes
I bind my outgoing to loopback.. That never goes down ;)
And why would you have it listen on your wan? You serving up dns off your wan interface? When it talks outbound, that traffic would be natted to your public IP anyway, etc.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in DNS unresponsive to clients:
And why would you have it listen on your wan? You serving up dns off your wan interface? When it talks outbound, that traffic would be natted to your public IP anyway, etc.
That was my thought too. As to why it included WAN - well that is the default set in pfSense.
localhost makes much more sense and what I had set on previous non-pfSense routers.
๏ธ -
@robbiett I think they have it listen on all as default because you never know what users might setup, or add etc. so with all its a given that it will listen on all interfaces..
But you could prob have a discussion about outbound default to localhost...
-
-
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@markster https://redmine.pfsense.org/issues/5413
(Hope towards the bottom) ;) -
@johnpoz said in DNS unresponsive to clients:
@robbiett where is your local host in your listen?
Its hard to see can you not expand that box?Small walk of shame for me as I didn't know the box could be simply dragged to expand it.
[Using Safari in screenshot]
๏ธ -
@johnpoz said in DNS unresponsive to clients:
I bind my outgoing to loopback.. That never goes down ;)
And why would you have it listen on your wan? You serving up dns off your wan interface? When it talks outbound, that traffic would be natted to your public IP anyway, etc.
@johnpoz Just to say thank-you and that I set my resolver as per your advice:
๏ธ[yes, I nearly forgot about it...]
-
For these two images - what about this one :
Trust your firewall.
Do not trust the admin.Select for both : "All", save, apply, and call it a day.
Netgate delivered pfSense with the "both All" selected and said : that's "ok and save and useful".
Nowhere they say that you need (have to) to modify it.If doubt : Contact Netgate and try to learn them 'networking'
( and please, tell us how that went )No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan said in DNS unresponsive to clients:
Nowhere they say that you need (have to) to modify it.
If doubt : Contact Netgate and try to learn them 'networking'
( and please, tell us how that went )Dude, I followed sensible advice from @johnpoz. I don't need to bother Netgate - they put the option in their documentation:
The network interface(s) to which the DNS Resolver will bind when listening for queries from clients.
By default the DNS Resolver listens on every available interface and IPv4 and IPv6 address. This option limits the interfaces where the DNS Resolver will accept and answer queries. This can be used to increase security in addition to firewall rules.
๏ธ -
@Gertjan said in DNS unresponsive to clients:
Nowhere they say that you need (have to) to modify it.
Nope nothing saying you need to modify it.. You do you - if you like all, then use all.. Is that the most secure setup or best optimal setup? What I would say is its the "safest" setup for when yo don't know what the network setup will actually be.. So its a valid "default" setup.
